Browser and friends

A Java zero-day vulnerability has been exploited in the wild. The vulnerability was discovered by two researchers independently (Tavis Ormandy and Ruben Santamarta), and Tavis Ormandy informed Oracle. Details were published and a demo of the exploit was made available (this will make the calculator execute). Pity that Oracle's patch arrived a little late; Websense found dozens of web sites that contained the exploit code before the patch was available. Please keep your Java application updated.

Apple patched vulnerability CVE-2010-1120 in the Safari browser. This was discovered by Charlie Miller, who used the vulnerability in hacking a fully-patched Macbook at 2010 Pwn2Own. A patch for Quicktime also was delivered this month; 16 vulnerabilities were fixed.

Mozilla also give a quick response to the vulnerability discovered at 2010 Pwn2Own. The vulnerability was fixed in Firefox 3.6.3.

Hello ThreatSeeker. You've got mail!

Who says that you can't teach an old dog new tricks! This month one of the longstanding and more popular threats showed why it's still used so much, by using another new tactic. We reported on the Zeus gang sending out new types of PDF attacks. These attacks used a variation of the /Launch attack (reported by Didier Stevens earlier in the month) to attempt to socially engineer the victim into running an embedded executable. The messages contained these poisoned PDF attachments and enticed a user into opening the PDF by making the victim think that there was a report of a missed package in the PDF file.

In another interesting campaign, there were spam messages that looked as though they came from Twitter. Each message spoofed the "From" address to trick recipients into thinking that it was a legitimate message coming from Twitter's support team. The content of the messages was very believable, because they were basically a scrape of legitimate emails from Twitter, notifying users that they had messages at Twitter. However, the <href> tags in the messages were modified, so that the link would actually lead to bogus pharmaceutical sites.

Security Trends

According to the Microsoft Malware Protection Center (MMPC), the hit by the latest wave of zero-day malware attacks targeting a flaw in the Internet Explorer browser spanned over 50 countries. Most frequently targeted were computers in China and Korea, with the US trailing a distant third.

Hackers discovered a way to run an embedded executable within a PDF file without using any JavaScript and without having to exploit any vulnerabilities. Didier Steven’s Escape From PDF hack and Jeremy Conway's POC show a way to control the message presented to the end user. When combined with clever social engineering techniques, PDF readers could potentially allow code execution attacks if a user simply opened a rigged PDF file.

Speaking of running an embedded executable within a PDF file, the Zeus malware attacks are now using the “/launch” command feature in Adobe Reader to launch malicious attacks without exploiting a vulnerability in the software. The PDF file contains another PDF file as an attachment that has been compressed inside the file. This attachment is actually an executable file that, if run, will install the Zeus bot.

Google’s Security Team is about to release the results from their 13-month study into the growth of Fake AV. The analysis shows that Fake AV currently accounts for 15% of all malware that Google detects on the web, and is responsible for 50% of all malware delivered via advertisements. Also, Fake AV attacks account for 60% of the malware discovered on domains that include trending keywords.